Sources of the ISO27k standards themselves

There are several sources so shop around for the best deals, for example on Google.

Several national standards bodies release translated versions of the ISO/IEC standards in their own languages. They all go to great lengths to ensure that the translations remain true to the original, causing some delay while the English language versions from ISO/IEC are translated, reviewed and released.

CLUSIF (Club de la Sécurité de l'Information Français) offers MEHARI, a risk assessment and management methodology that applies ISO/IEC 27005 guidance to ISO27k’s PDCA cycle. Don’t be put off if your French is a poor as mine: the information and tools are also available in English.

If you are actively implementing the ISO27k standards, you are welcome to join the ISO27k Forum to discuss the practicalities with others doing the same thing. The international community offers free ISO27k implementation advice, giving you the benefit of our collective experience in this field. Your own thoughts and inputs are most welcome, including queries, comments, contentious points to discuss, and feedback or improvement suggestions for this website.

Certification bodies such as International Standards Certifications audit ISMSs in order to certify their compliance with ISO/IEC 27001. It is recommended to contact a certification body well before you plan to get your ISMS certified as they will need to schedule their auditors, and can offer advice on the fine details of the audit process while you still have time to line up your organization. By the way, it is worth thinking about combining certification audits for multiple management systems standards such as ISO 9001 and ISO/IEC 20000, as well as ISO27k.

ISO/IEC 27001: the future of infosec certification by Taiye Lambo, originally published in ISSA Journal, outlines reasons for implementing an ISMS including legal and regulatory compliance as well as reducing the costs arising from information security incidents.

British Standards Institute has published a number of useful little ISMS guidance booklets over the years including BSI/DISC PD005 which contained a very handy overview diagram showing the typical lifecycle of an organization’s ISMS project. It would be good to see the parts of this older material recycled into the new.

A piece by Ted Humphreys explaining the purpose and value of ISO/IEC 27001 might be a good way to introduce the ISO27k concept to your managers. It incorporates endorsements by companies that have benefited from adopting the standards.

A ROSI calculator takes user-entered values for Single Loss Expectancy to calculate Annual Loss Expectancy, then assesses the projected annual cost savings due to controls, and finally offsets the cost of those controls to generate the Return On Security Investment - which is fine if you can estimate the costs and effectiveness of your controls (good luck!).

Miscellany

“ISO” is not actually an acronym but the official name of the Swiss organization responsible for coordinating the world’s national standards bodies. Joint Technical Committee 1 (JTC1) looks after ISO’s IT standards while JTC1 Sub Committee 27 (JTC1/SC 27) is specifically responsible for the standards covering IT security techniques. JTC1/SC 27 is busy, judging by the number of security papers currently under consideration for encryption, privacy and identity management as well as ISO27k.